httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Pitt <jnp...@uw.edu>
Subject Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success
Date Wed, 15 Aug 2018 21:50:17 GMT
Ok I have a work around but I'm really unhappy with it and I'd like it if
someone can verify for me that I'm not doing something wrong before I
change my whole code base to deal with the cgi scripts not being present in
the apache default cgi-bin (on my system /usr/lib/cgi-bin).  So when a
client requests a file from the cgi-bin Apache seems to execute it before
asking for Basic Authorization.  However if I take the exact same
apache2.config block, change the directory to something somewhere else, in
this case /var/www/html, add +ExecCGI and a handler for .cgi files...Apache
has the behavior I'd expect.  It asks for authorization, then executes the
.cgi file.  Why on earth can't I just do that for the default cgi-bin???

so this works:
<Directory /var/www/html>
        Options Indexes FollowSymLinks ExecCGI
        AddHandler cgi-script .cgi
        AllowOverride None
        AuthUserFile /home/jpitt/wormbot/passwords
        AuthType Basic
        AuthName "Kaebot"
        Require valid-user
</Directory>

this asks for a password but executes the script regardless of user input
<Directory /usr/lib/cgi-bin>
        Options Indexes FollowSymLinks ExecCGI
        AddHandler cgi-script .cgi
        AllowOverride None
        AuthUserFile /home/jpitt/wormbot/passwords
        AuthType Basic
        AuthName "Kaebot"
        Require valid-user
</Directory>

exact same cgi script...just placed in different locations

Is this a "feature" of Apache I'm just not appreciating?

-J






On Wed, Aug 15, 2018 at 2:34 AM, Eric Covener <covener@gmail.com> wrote:

> > Here's from the access.log:
> > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET
> /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/
> experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0)
> Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET
> /wormbot/img/icon_download.png HTTP/1.1" 401 736 "
> http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu;
> Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1"
> 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0)
> Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1"
> 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0)
> Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET
> /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11;
> Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET
> /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/
> experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0)
> Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET
> /wormbot/img/icon_download.png HTTP/1.1" 401 735 "
> http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu;
> Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> > 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1"
> 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0)
> Gecko/20100101 Firefox/61.0"
> >
>
> Looks like two page loads 30 seconds apart, but I notice there is no
> request for the CGI itself for the first one but requests for the page
> elements.
> Are you sure there's no browser caching in the way here?  And perhaps
> the basic auth credentials are cached for the /cgi-bin/ path but the
> browser doesn't send them automatically for the static elements that
> don't share a context root?
>
> A private/incognito window, or temporarily logging %{Authorization}i
> might clear some things up.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
/*
Jason Pitt PhD                                   206.616.1193
Kaeberlein Lab                                   jnpitt@uw.edu
University of Washington
Department of Pathology
Health Sciences Building                    Box 357470
1989 NE Pacific Street
Seattle, WA 98195
*/

Mime
View raw message